The NSA Exploited the OpenSSL Heartbleed Bug for 2 Years

According to a report coming out of Bloomberg, the NSA supposedly knew of the OpenSSL Heartbleed bug for nearly 2 years and used it to their advantage when they needed to. This makes the entire belief that the bug was an accidental mistake in the code that hadn’t been noticed much less probable. Not to mention the fact that the heartbleed bug is effecting almost the entire internet and puts the security of most passwords into question. The problem, however, is that not enough websites have fixed their certificates to patch this issue. There are hundreds of thousands if not millions of affected sites that handle critical user email accounts, bank accounts and various other sensitive data. The day that the bug was found and announced a fix was also issued to resolve the issue, however, system administrators are slow to implement the fix as attacks are already supposedly under way.

In any case, it is advisable to change all of your passwords to sensitive accounts and to enable 2-step authentication as well, considering the fact that such issues could be discovered in the future and that you could be vulnerable until then, like now. The real truth of the matter is that this issue is an unfortunate situation and in today’s online world there is no doubt that one has to remain vigilant and stay on top of all potential security risks. It also doesn’t help that the NSA and CIA are building backdoors into hardware across the entire IT industry and that they are effectively building in backdoors for hackers to exploit if they figure out how and where to look. The fact that these governmental agencies are doing this in light of trying to claim that foreign companies cannot be trusted (see Huawei) is hypocritical at the very least and damaging to the US economy at the very most. There is no doubt in my mind that the government’s involvement in both covert espionage and industrial espionage is causing other countries to not want to do business with US companies, even if those companies have absolutely no knowledge of their insecurities.

As far as this Heartbleed bug goes, you should be mindful of your passwords and accounts and likely change them over the course of the next few days as companies update their OpenSSL and issue new certificates. Unfortunately, until then, you’re pretty much cannon fodder for any hackers that want to exploit this. So, be careful and enable 2-step authentication wherever possible, because even if they have your password, the likelihood that they ALSO have access to your phone is very narrow. However, some 2-step authenticaion does use email, so be careful of that and change your email passwords ASAP.